tsai
/
abp
mirror of https://github.com/abpframework/abp.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Open Source Web Application Framework for ASP.NET Core
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
35852 Commits
257 Branches
285 Tags
2.0 GiB
 
 
 
 
 
 
Tree: 2e20544ffe
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2e20544ffe'
${ noResults }
abp/docs/en/modules/identity/session-management.md

2.7 KiB
Raw Blame History

Session Management

The Session Management feature allows you to prevent concurrent login and manage user sessions.

Prevent concurrent login

There is a setting in the identity section to prevent concurrent login. It has three options:

  1. Disabled

    No restriction on concurrent login. This is the default.

  2. LogoutFromSameTypeDevices

    Only one session of the same type can exist. Same type means we can restrict single login with a browser, but we may still can login with a mobile application without affecting the browser session. So, for each device type, we may allow a single login.

  3. LogoutFromAllDevices

    All other sessions will be logged out when a new session is created.

prevent-concurrent-login

Manage user sessions

You can view and manage user sessions on the Users page of the Identity module.

user-sessions sessions-modal.png session-details-modal.png

Once you revoke a session, the user will be logged out.

IdentitySessionCleanupBackgroundWorker

The IdentitySessionCleanupBackgroundWorker is a background worker that will remove the sessions that have not been active in the past.

IdentitySessionCleanupOptions

  • IsCleanupEnabled: Default value is true.
  • CleanupPeriod: Default value is 1 hour.
  • InactiveTimeSpan: Default value is 30 days.

How it works

This feature depends on the Dynamic Claims feature of the ABP framework. Here is how it works:

  • The IdentitySessionClaimsPrincipalContributor will generate a random GUID as a sessionid to add the ClaimsPrincipal, This usually happens when logging in to get the user's claims.
  • The OnSignedIn event of Identity and ProcessSignIn event of OpenIddict will get this sessionid and store it in the database (IdentitySession table).
  • The Dynamic Claims system's IdentitySessionDynamicClaimsPrincipalContributor will ensure the sessionid exists or signs out.
  • The IdentitySessionChecker will check the sessionid that exists and update the LastAccessed and IpAddress to the cache.
  • The IdentitySessionManager is used to get one or a list of sessions and update the LastAccessed and IpAddress from the cache to the database.
  • The module will remove the session when logging out.
  • The IdentitySessionCleanupBackgroundWorker will remove the inactive sessions.
  • Once a new session has been created, we will remove the other sessions based on the PreventConcurrentLogin setting.
  • The IdentitySessionManager is used to manage/maintain the sessions. Please use this class instead of directly using the repository.